All posts for the month September, 2010

Using the idea from the last post, we have a machinery which takes a set of Rules as input, a gen_fsm, setup and cleanup. To develop this, there is once again a big question, will this be done with parse transforms or using macros and functions? To try and answer this question along with how it should work, let’s write some mock-code. This will be the first iteration of the ATG (Automated Test Generator).

First Iteration – Brainstorm

For this first iteration, it gets easier if we break it down into some use-cases, first off, the battery of Rules,

% ------------------------------------------------------------------------------
% List of all rules - mock code!
% ------------------------------------------------------------------------------
rules() ->
[
% Seller and buyer registration,
% The postcondition needs to access the password which was generated in
% the program so that we can verify that the tradepost holds the correct
% registration.
{ notreg(seller), do_reg(seller), reg(seller,generated_pwd)},
{ notreg(buyer), do_reg(buyer), reg(buyer,generated_pwd)},
% Insert item / cash, should insert random amount of cash and random
% items. The PostCond must be able to test the existence of that item / cash
% and thus must have access to the generated item / cash.
{ reg(seller), insert(item), item_is(inserted_item)},
{ reg(buyer), insert(cash), cash_is(inserted_amount)},
% Removal of cash or item, remove needs to use the password which
% the tradepost currently has.
{ tradepost_has(cash), remove(cash), nottradepost_has(cash) },
{ tradepost_has(item), remove(item), nottradepost_has(item) },
% Close a deal, we must check that the _returned value_ is the correct one.
% We must pass on the returned value to the postcond. The Postcond must
% then also have access to the original item and cash.
{ tradepost_has(cash)
andalsotradepost_has(item), closedeal(), return_value_is(??)}
].

As can be seen, I added some comments on thoughts that deserve discussion. It will often be the case that the postcondition needs to refer to a value which is the result of the Program. Such an example can be the test for correct registration. For that case, we do not only need access to the state, but also the generated password which was used. How to fix it? Bind the Program result to a special atom ‘$PROGRAM_RESULT’, also, bind the state to a special atom ‘$STATE’. Problem solved. Please note that such a solution , is leaning towards parse-transforms.

% The State is accessed through the special atom
% '$STATE', and the module must include the state record.
reg(seller) -> '$STATE'#state.seller =/= undefined;
reg(buyer) -> '$STATE'#state.buyer =/= undefined.
% Passwd can be result from Program, thus the call in
% the Rule may then be { ..... , reg(seller,'$PROGRAM_RESULT')}
reg(seller,Passwd) -> '$STATE'#state.seller == Passwd;
reg(buyer,Passwd) -> '$STATE'#state.buyer == Passwd.

Another special binding added to this machinery, is the identifier for the gen_fsm, this could be a registered name or a Pid. The usage of this is shown below, where a registration is performed, and the password is returned for the Postcondition.

% The identifier of the gen_fsm is accessed through '$ID'
do_reg(seller) ->
Password = generate_passwd(),
tradepost:seller_identify('$ID',Password),
Password. % This line ensures that '$PROGRAM_RESULT' is bound to
% the generated password, for the Postcondition to access.

How the ‘$ID’ is bound, is unclear for now, but that can be taken care of later, remember that we are just writing mock code to get an idea of what we possibly want. Going from the top to bottom, how would we love to see the insertion?

% This of course also uses the $ID, but also the state to access the password.
% seems only fair to return the inserted item for this function as that
% probably is what we wish, ... always.
insert(item) ->
Password = '$STATE'#state.seller,
Item = generate_item(),
tradepost:seller_insert('$ID',Item,Password),
Item; % Ensure '$PROGRAM_RESULT is Item
insert(cash) ->
Password = '$STATE'#state.buyer,
Cash = generate_cash(),
tradepost:buyer_insert('$ID',Cash,Password),
Cash; % Ensure '$PROGRAM_RESULT is Cash

Coupled to this, Now, how to test that the cash is the amount we wish, and that the item is the sought one?

% Utilizing both state and id, but nice thing is that result
% of withdraw function will be bound to $PROGRAM_RESULT in this mockup.
remove(cash) ->
Passwd = '$STATE'#state.buyer,
tradepost:buyer_withdraw('$ID',Passwd);
remove(item) ->
Passwd = '$STATE'#state.seller,
tradepost:seller_withdraw('$ID',Passwd);

Nearing the end of the first iteration brainstorming, what remains is a way to program the deal closing and a way to test the return value of this (a way to test the return value of the deal closing), ‘$PROGRAM_RESULT’ is still our friend, but it would be good to have some kind of parallelism. Once again, how would we like to see this written?

This seems to do the trick, the idea is to pass a list of functions which are executed in parallel, the result of each one is bound to an element in the generated list which is bound to ‘$PROGRAM_RESULT’. As this seems that this covers the first iteration of brainstorming, it could be nice to sum it up.

Summary of First Brainstorming session

The Automated Test Generator machinery has a set of Rules, each Rule is modeled as a 3-tuple, The first element in the 3-tuple is the Precondition that has to be met for the Rule to possibly take action. The second element is a Program which is executed, iff the Precondition holds and the Rule is chosen. The third element is a Postcondition that must hold once the Program of the Rule is executed.

The different special syntax elements which have been identified now are

‘$STATE’, the internal state of the gen_fsm being tested.

‘$ID’, identifier of the gen_fsm, can be a registered name, a registered name on a node or a Pid.

‘$PROGRAM_RESULT’, the result of the Program (middle element in the Rule)

‘$PARALLEL’, keyword for marking that functions are to be executed in parallel, and the joint result is bound to ‘$PROGRAM_RESULT’

Besides these special syntactical elements, we should try structuring the thoughts a bit more.

This third part will add the deal closure API as well as refactoring the code, we will also see the inception of the Automated Test Generating machinery.

Sixth Iteration – Deal closing API and the beginning of the ATG machinery

Buyer and Seller can now insert their items, and wish to close the deal, for this we need some kind of “security”. To implement this, the buyer and seller must both agree on the item and the cash. They both query the tradepost for it’s contents, get the item name and the cash amount, then if they agree, they can send an okay to the tradepost with the same item name and the same cash and their Pid. If the tradepost contains an item with that name, and that cash, the tradepost sends the item to the buyer and the cash to the seller. The tradepost then terminates.

For this parallelised receive, the syntax of the symbolic language is extended with

To pull this off, we need to extend the state with a holder for the agreed parts Pids, this will reveal a flaw with the current syntax that has not been so evident until now (bu surely nagging) that will need to be countered.

Greatness, but, in order for this to work, some modification had to be done to all previous tests! We had to extend the state-record with new fields, and the result is that the loopdata assertion had to be changed in each test! What if we had 1000 previous tests? *pulls hair in desperation*. Also, after this success, I made some refactoring, something that _should_ be done after each tests + code + success. This is also a great thing, once you have a nice big set of tests, refactoring can always be tested to preserve the logic by running your tests *thumbs up*.

With this success, it’s time to hunt the real cornercase-bugs using Automated Test Generation, a very strong piece of machinery, that requieres some setup. Oh, and just in case, if you forgot how it all fits together…

Automated Test Generation – inception

As we wish to generate complex (almost the same as long) test sequences, and do not wish to enter them by hand, we want to have a piece of machinery which makes this for us. An immediate question that comes to mind is then, how does the machinery know which sequences are actually valid? Well, that is for us to know and express. Here we can draw inspiration from from Hoare Logic and use that notion for our automated test generator. A good candidate for this would be a syntax similar to something as

We would thus want the machinery to behave as follows. Given a current gen_fsm state, and the list of all rules, return a list of all rules for which the PreCondPred holds. From this list of rules, choose one randomly, and apply execute Program. After execution, check if PostCondPred holds true. If not, record failure. On Success, repeat process with random selection of valid rule and application, etc.

For this to work, we need to write our own generator, for this, we can peek at the EUnit User’s Guide section on Lazy Generators. However, this should be discussed in the next part of this series. For this purpose, the iterations have ended.

Ps: I apologize for the long delay before this post came, but I had a lot to do at the sidelines.

Last post we saw the symbolic (somewhat DSL) for the gen_fsm testing, using that as help we shall continue with the Buyer API. Technically, we are now doing the fourth iteration.

Fourth Iteration – Buyer API

The buyer wishes to be identified like the seller, to deposit cash and to withdraw cash. Thus his/her usage is similar. By good TDD, we will write the tests first, adding them to tradepost_tests.erl

The new added instantiators

% This is the main point of "entry" for my EUnit testing.
% A generator which forces setup and cleanup for each test in the testset
main_test_() ->
{foreach,
funsetup/0,
funcleanup/1,
% Note that this must be a List of TestSet or Instantiator
[
% First Iteration
funstarted_properly/1,
% Second Iteration
funidentify_seller/1,
funinsert_item/1,
funwithdraw_item/1,
% Fourth iteration
funidentify_buyer/1,
funinsert_cash/1,
funwithdraw_cash/1
]}.

Wow. Great. So the buyer and the seller can now deposit and retract their respective parts. Awesome. However, there are some intentionally left out parts (and yes, I assume more than one of you has been thinking and cringing about it) – the interleaving of the actions. That is left for the fifth iteration.

Fifth Iteration – Interleaving of Actions

Much straight forward – what if the buyer identifies and inserts the item, and the buyer wishes to identify after this?

The issue is of course that it is not possible to identify oneself in any other state than the pending one. Do we consider this a flaw or as part of the system design? For this example, we shall regard it to be a flaw. And the true design should be that either buyer or seller must be able to identify themselves once before inserting their part and closing the deal.

Let’s add some more tests that we know should pass, like reversing the roles, and adding more interleaving of actions. As will be seen, this causes a lot of code, and we discover the need for some Automated Test Generation.

These are not all the tests (some 6 more are hidden). For the future (for some future iteration), we would like to specify which state transitions are legal, which functions cause these transitions, and ultimately let the machine generate them for us, run the sequences and test whether all is good.

Also, while failing, it would be tremenduously nice if the automatic test generation would show us a trace of the failing run.

Fixing up the problem with identification, a lot of the tests run through, however a new problem is evident.

It is not possible to insert the cash after the item has been inserted!(?) Clearly, there is an interleaving problem between item insertion and cash insertion. The true design should be that either buyer or seller must be able to insert xor withdraw their item / cash before closing the deal, irrespective of the other parts item / cash.

An interesting thing to note is that we got this failing tests because this test was longer. It triggered more transitions, and was in a sense, more complex. This is another thing we wish to get for free from an automated test generating engine.

Wishing to test what we just discussed, we add a longer test that should serve as a green light once it goes through.

This post will be TDD based and shows how the Tradepost program is developed and is tested.

First iteration – Start and Stop

I start writing the test! This gives me the opportunity to crystallize my thoughts about the program.

The module implementing the tests of the Tradepost

-module(tradepost_tests).
-include_lib("eunit/include/eunit.hrl").
% This is the main point of "entry" for my EUnit testing.
% A generator which forces setup and cleanup for each test in the testset
main_test_() ->
{foreach,
funsetup/0,
funcleanup/1,
% Note that this must be a List of TestSet or Instantiator
% (I have instantiators == functions generating tests)
[
% First Iteration
funstarted_properly/1,
]}.
% Setup and Cleanup
setup() -> {ok,Pid} = tradepost:start_link(), Pid.
cleanup(Pid) -> tradepost:stop(Pid).
% Pure tests below
% ------------------------------------------------------------------------------
% Let's start simple, I want it to start and check that it is okay.
% I will use the introspective function for this
started_properly(Pid) ->
fun() ->
?assertEqual(pending,tradepost:introspection_statename(Pid)),
?assertEqual([undefined,undefined,undefined,undefined,undefined],
tradepost:introspection_loopdata(Pid))
end.

Compilation and running should fail as the gen_fsm module is barely minimal

Wow, I’m glad we got that sorted out. Now, as we have set the first nail in the mountain and hooked us to it, the climb begins in a series of cycles. Next up, the Seller API.

Second Iteration – Seller API

What the seller needs, is a way to insert an item, and a way to remove an item. Also to identify him/her self with a naive password approach. Once identified, the seller (and only the seller) should be able to add and retract items.

The main_test_() has now been expanded to

% This is the main point of "entry" for my EUnit testing.
% A generator which forces setup and cleanup for each test in the testset
main_test_() ->
{foreach,
funsetup/0,
funcleanup/1,
% Note that this must be a List of TestSet or Instantiator
% (I have instantiators)
[
% First Iteration
funstarted_properly/1,
% Second Iteration
funidentify_seller/1,
funinsert_item/1,
funwithdraw_item/1
]}.

Awesome! And we got a bonus as well: how to run eunit directly from the command line with the -eval command. Cool, oneliners always make you feel more “1337”.

It all looks very good so far, but I will use the third iteration to fixing up the eunit module, it has way to much duplication and could be made more declarative (specifying what should be computed – not how [ which is kind of more abstract <of course someone will oppose>]).

Third Iteration – Eunit GenFSM DSL (do not worry)

Testing gen_fsm’s should ideally be all about testing state transitions, in-state computations and variables. For this purpose, I would like to have my DSL that handles all of the pesky details for me.

This is a symbolic method that defines our DSL in a yet readable way, hiding the logic. For this to work, we need a translation from our DSL to actual EUnit syntax without losing the EUnit machinery. We will also drop the intrusive introspective functions for the usage of the better sys:get_status/1 (thank you Ulf).

Thus, let the journey begin, first with the translation of the Test. This can be done in two ways, either at runtime or at compile time with parse-transforms. I choose the runtime one with translation functions and macros. Ulf Wiger has a neat library for cooler parse transforms, but I shall not use this for now, (the code will probably be revised many times)

Knowing Basics of Setup, Cleanup understanding test representation, it’s time to look at EUnit test control. Test control encompassed the ability to specify

If the TestSet should be run in a specific subprocess

If the TestSet should be run in a specific subprocess on a specific node

What timeout a TestSet should have

If the STO’s in the TestSet should be run in a specific predetermined order

If the STO’s in the TestSet should be run in parallell (if possible)

If the STO’s in the TestSet should be run in parallell (if possible), but with the added control that no more than N of them may be run at the same time in parallell

Each of these control specifications are designated by tuples (like most things in EUnit), and may replace any TestSet (single test or deeplist) in the same place where the testset whas previousy placed: But, the replaced testset should then be placed inside the TestSet holder of the tuple.

Replacing a single direct testset as first element in a test generating function (remember the _test_())

As can be seen, the Control Tuple (CT) can be placed in any place of a TestSet, and puts that replaced testset into itself. Conceptually, it can be thought of as a function, CT(TestSet) which returns the CT with the testset inside.

This concludes spawn, as can be seen, all the tests pass, even the node spawned ones. Don’t forget to load the code on the remote nodes first!

Timeout Control

{timeout, Time::number(), Tests}

The effect is that all tests in the TestSet “argument” are given the total time of Time seconds to complete. If the TestSet has not finished during the Time seconds, the TestSet is stopped abruptly without cleanup. Any Setup and Cleanup is also considered during this time.

According to the error message, there is a bad usage with the erlang BIF atom_to_list, from the module eunit_lib, in the function fun_parent

{eunit_lib,fun_parent,1}

Now, if you go and read the source (eunit_lib),

%% This library is free software; you can redistribute it and/or modify
%% it under the terms of the GNU Lesser General Public License as
%% published by the Free Software Foundation; either version 2 of the
%% License, or (at your option) any later version.
%%%% This library is distributed in the hope that it will be useful, but
%% WITHOUT ANY WARRANTY; without even the implied warranty of
%% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
%% Lesser General Public License for more details.
%%%% You should have received a copy of the GNU Lesser General Public
%% License along with this library; if not, write to the Free Software
%% Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
%% USA
%%%% $Id: eunit_lib.erl 339 2009-04-05 14:10:47Z rcarlsson $
%%%% @copyright 2004-2007 Mickaël Rémond, Richard Carlsson
%% @author Mickaël Rémond <mickael.remond@process-one.net>
%% [http://www.process-one.net/]
%% @author Richard Carlsson <richardc@it.uu.se>
%% [http://user.it.uu.se/~richardc/]
%% @private
%% @see eunit
%% @doc Utility functions for eunit
%% ---------------------------------------------------------------------
%% Get the name of the containing function for a fun. (This is encoded
%% in the name of the generated function that implements the fun.)
fun_parent(F) ->
{module, M} = erlang:fun_info(F, module),
{name, N} = erlang:fun_info(F, name),
caseerlang:fun_info(F, type) of
{type, external} ->
{arity, A} = erlang:fun_info(F, arity),
{M, N, A};
{type, local} ->
[$-|S] = atom_to_list(N),
C1 = string:chr(S, $/),
C2 = string:chr(S, $-),
{M, list_to_atom(string:sub_string(S, 1, C1 - 1)),
list_to_integer(string:sub_string(S, C1 + 1, C2 - 1))}
end.

Where the second line fun_info(F, name) is the culprit. It seems as if the fun does not retain the name for some reason, but fortunately, after discussing this with my senior friend Nicolas, it turns out this is a problem caused by the module from where the fun is sent code not being loaded on the other node where the tests are to be evaluated.

Thus, the simple solution is to make sure the remote node has loaded the code from the tests a priori. This can be achieved with a module_info() or code:load_file/1.